CVE-2025-2564Incorrect Authorization in Mattermost Mattermost-server

CWE-863Incorrect AuthorizationCWE-835Infinite Loop6 documents4 sources
Severity
4.3MEDIUMNVD
EPSS
0.2%
top 59.87%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Github.com Mattermost Mattermost-serverGithub.com Mattermost Mattermost Server V8Mattermost Server+1 more
Timeline
PublishedApr 16
Latest updateJul 23

Description

Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to properly enforce the 'Allow users to view/update archived channels' System Console setting, which allows authenticated users to view members and member information of archived channels even when this setting is disabled.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages4 packages

NVDmattermost/mattermost_server9.11.09.11.10+2
Gogithub.com/mattermost_mattermost-server9.11.0+incompatible9.11.10+incompatible+2
CVEListV5mattermost/mattermost10.5.010.5.1+2

🔴Vulnerability Details

5
GHSA
ImageMagick has XMP profile write that triggers hang due to unbounded loop2025-07-23
OSV
Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server2025-04-22
GHSA
Mattermost Incorrect Authorization vulnerability2025-04-16
CVEList
Unauthorized View Access to Archived Channel Member Info2025-04-16
OSV
Mattermost Incorrect Authorization vulnerability2025-04-16
CVE-2025-2564 — Incorrect Authorization | cvebase